Security News

Threat analysts have observed a new wave of attacks installing Cobalt Strike beacons on vulnerable Microsoft SQL Servers, leading to deeper infiltration and subsequent malware infections. The attacks start with threat actors scanning for servers with an open TCP port 1433, which are likely public-facing MS-SQL servers.

Vulnerable internet-facing Microsoft SQL Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. "Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers," South Korean cybersecurity company AhnLab Security Emergency Response Center said in a report published Monday.

Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. Earlier this month, Emotet began to test installing Cobalt Strike beacons on infected devices instead of their regular payloads.

A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems. "These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world," said researchers with Cisco Talos in a technical write-up.

SquirrelWaffle, a new malware loader, is mal-spamming malicious Microsoft Office documents to deliver Qakbot malware and the penetration-testing tool Cobalt Strike - two of the most common threats regularly observed targeting organizations around the world. Cisco Talos researchers said on Tuesday that they got wind of the malspam campaigns beginning in mid-September, when they saw the boobytrapped Office documents working to infect systems with SquirrelWaffle in the initial stage of the infection chain.

A new malware threat named Squirrelwaffle has emerged in the wild, supporting actors with an initial foothold and a way to drop malware onto compromised systems and networks. The new malware tool spreads via spam campaigns dropping Qakbot and Cobalt Strike in the most recent campaigns.

Around 1,500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository. Didier Stevens, the researcher with Belgian infosec firm NVISO who discovered that private Cobalt Strike keys are being widely reused by criminals, told The Register: "While fingerprinting Cobalt Strike servers on the internet, we noticed that some public keys appeared often. The fact that there is a reuse of public keys means that there is a reuse of private keys too: a public key and a private key are linked to each other."

Microsoft on Wednesday disclosed details of a targeting phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center said in a technical write-up.

Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks.

An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide. Cobalt Strike is also used by threat actors for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices.